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Abstract. In solving a query, the SLD proof procedure for definite pro- 
grams sometimes searches an infinite space for a non existing solution. 
For example, querying a planner for an unreachable goal state. Such 
programs motivate the development of methods to prove the absence 
of a solution. Considering the definite program and the query <— Q as 
clauses of a first order theory, one can apply model generators which 
search for a finite interpretation in which the program clauses as well 
as the clause false <— Q are true. This paper develops a new approach 
which exploits the fact that all clauses are definite. It is based on a goal 
directed abductive search in the space of finite pre-interpretations for 
a pre-interpretation such that Q is false in the least model of the pro- 
gram based on it. Several methods for efficiently searching the space of 
pre-interpretations are presented. Experimental results confirm that our 
approach find solutions with less search than with the use of a first order 
model generator. 
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1 Introduction 



For many definite programs there exist queries for which the SLD-tree (under 
the left-to-right computation rule) is infinite. In some cases the infinite tree con- 
tains no solution. This paper is about proving the latter efficiently. Our original 
motivation stems from the world of planning. Typically, a planner searches an 
infinite space of candidate plans for a plan satisfying all requirements. It is useful 
to have a second process which searches for a proof that not all requirements can 
be met; if found, the first process can be stopped (and the other way around if a 
plan is found) . Another application is in proving that a program satisfies certain 
integrity constraints. For example, a program defining even and odd numbers 



should satisfy the integrity constraint that no number is both even and odd. 
This can be proven by showing that the query <— even(X) , odd(X) fails. 

Failure of a query <— Q can be proven by showing that Q is not a logical 
consequence of the program, in other words by constructing an interpretation 
in which the program clauses are true (i.e. which is a model of the program) 
and in which Q is false (or alternatively the clause false <— Q is true). First 
order model generators |2^^,^,|4| can be used for this task. They search for 
an interpretation over a finite domain such that all clauses of a given set evaluate 
to true. 

This paper develops an alternative approach which exploits the fact that 
definite programs have least models. If Q is false in some model based on a 
pre-interpretation, then it is also false in the least model based on that pre- 
interpretation. Hence, it should be better to search in the space of pre-interpre- 
tations for a pre-interpretation such that Q is false in the least model based on 
it than to search in the larger space of interpretations for an interpretation such 
that the program clauses are true and Q is false. 

While this paper is one of the first to address the problem of proving that 
an SLD-tree contains no solutions, the related problem, proving that the SLD- 
tree is finite, has received a lot of attention in the literature on termination 
analysis. See fl3|| for a survey. As argued above, useful programs exist for which 
the SLD-tree is not finite. 

The problems caused by infinite branches in proof trees have also been ad- 
dressed in work on loop checking BJiM. The idea is to monitor the execution 
and to try to prune infinitely failing branches. However, methods have to choose 
between pruning too much (causing incompleteness of the proof procedure) and 
preserving completeness but missing some infinite branches. Proof procedures 
with tabling such as XSB pa] are perhaps a better alternative to a complete- 
ness preserving procedure equipped with loop checking. They avoid the overhead 
of monitoring the execution while using a different proof procedure which, com- 
pared to SLD, reduces the number of infinite branches. In particular, they always 
terminate for DATALOG programs. 

The work in |jj takes a different approach. A logic program is represented as 
a set of equivalence preserving rewrite rules. One of the effects of the "simpli- 
fication inference rule" is to eliminate certain infinite derivations. We have not 
studied this approach in detail. We suspect its power is comparable to that of 
conjunctive partial deduction 22,li| which is discussed in Section |[ 

Section || recalls the basics about pre-interpretations and introduces a triv- 
ial example. Section ||, explains how a pre-interpretation can be described by a 
number of facts, how a program can be abstracted as a DATALOG program, 
and how the least model based on that pre-interpretation can be queried by 
evaluating the abstracted query on the DATALOG program. Section || develops 
two procedures for proving failure. The first one combines abduction with tabu- 
lation and failure analysis. The second one combines constraints with tabulation 
and develops two alternatives for the constraint solving. The first alternative 
uses abduction and failure analysis in the constraint checking. The second one 
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translates the constraints into finite domain constraints and uses a finite domain 
solver for the constraint checking. Section |] discusses alternative approaches: the 
use of model generators for first order logic p7| , p8|p5| , p^ | , of type analysis [1£,10| 
(a query fails if its inferred type is empty) and of program specialisation [22,14| 
(the query fails if the program — for the given query — can be specialised into the 
empty program) . In section |^, the different approaches are compared. Finally, 
in section |?], we draw some conclusions. We assume some familiarity with the 
basics of tabulation, e.g. pl| , p5p^ |. 

Some of the authors of the current paper participated in a preliminary inves- 
tigation of the topic jn| . The current paper is an extension of the work described 



2 Preliminaries 



A pre-interpretation J of a program P consists of a domain D = {g?i, . . . , d rn } 
and, for every functor f/n a mapping fj from D n to D. An interpretation / based 
on a pre-interpretation J extends J with a mapping pj from D n to {true, false} 
for every predicate p/n in P. Extending the language of the program P with the 
domain D, an interpretation can be identified with the set of atoms p{d\ , . . . , d n ) 
for which pi{d\, . . . , d n ) is mapped to true. 

An interpretation / is a model of a program P iff all clauses of P are true 
under the interpretation /. For every pre-interpretation J, a definite program 
has a model / based on J (map pi{d\, . . . , d n ) to true for all predicates and all 
domain elements). The intersection of a set of models based on J is also a model 
based on J, hence there is a unique least model based on J. We denote this 
model by LMj(P). As a consequence, if an existentially quantified conjunction 
3XLi A ... A L n (a query) is false in a model based on a pre-interpretation J 
then it is also false in LMj(P). So, to check whether some pre-interpretation J 
can be the basis of a model in which an existentially quantified conjunction is 
false, it suffices to evaluate the conjunction in LMj(P). This can be summarised 
in the following proposition: 

Proposition 1. Given a pre-interpretation J, there exists an interpretation I 
based on J which is a model of P U {false <— Q} iff LMj(P) \= false <— Q. 



Example 1. Even/odd 
even(O) «— 

even(s(X)) <- odd(X) . 
odd(s(X)) <- even(X) . 

D = {£, O} 

0j = S,p s (£) = O, Pe{0)=8 

The least model is {even(£), odd(O)}. The query <— even(X) , odd(X) fails be- 
cause 3Xeven(X) A odd(X) is false in this model. Executing the program with 
SLD or with a tabulating procedure (e.g. XSB (25)) results in infinite failure. All 
methods discussed in Section H can handle this problem. 
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A variable assignment a is a mapping from variables to domain elements. 
Given a pre-interpretation J, this mapping can be extended in a term assignment 
(variables are assigned according to a, functors according to J). J a [t) denotes 
the term assignment of t under the pre-interpretation J and variable assignment 
a. Given an interpretation /, the mapping can be further extended to a truth 
assignment. I a (F) gives the truth value of the formula F under the interpretation 
/ (based on a pre-interpretation J) and the variable assignment a. 



3 Proof procedures 

In , Codish and Demoen developed so called abstract compilation to perform 
groundness analysis of logic programs. Applying a transformation on the original 
program, they obtain an abstracted program. Groundness is then derived from 
a least model of the abstracted program. In later work , they used the same 
technique to perform other analyses. Boulanger and coauthors explored the 
use of pre-interpretations to approximate the s-semantics || of programs and 
to derive properties from this approximation. In p8[ , the approach of Codish 
and Demoen is generalised and presented as defining a pre-interpretation and 
computing the least model of the abstracted program; several applications are 
presented. It became clear that abstract compilation is a technique allowing the 
efficient computation of a program's least model based on a pre-interpretation. 
Abstract compilation consists of eliminating non variable terms from clauses. 

A term f (tl , . . . , tn) is replaced by a fresh variable X and a call py (tl tn,X) 

is added to the body of the clause. This is repeated until all non variable terms 
have disappeared from the program clauses. Note that this transformation is 
independent from the particular pre-interpretation. The abstract program is 
completed with the pre-interpretation J in relational form: the set of facts 
{p/(di, . . . ,d n ,d)<— \fj(di, . . . ,d n ) — d}. Each fact represents a component 
of the pre-interpretation. With J a pre-interpretation, Pj denotes its relational 
form. 

Example 2. Applying abstract compilation on the program and pre-interpretation 

of Example [3, we obtain: 

even(X) *— po(X) 

even(Y) <- p s (X,Y), odd(X) . 

odd(Y) <- p s (X,Y), even(X). 

Po(£) «- 
P., (£,£>) <- 
Vs(0,E) <- 

The clauses together with the facts of the pre-interpretation form a DATA- 
LOG program. The least model is {po{£ ),p s (£, 0),p s {0, £), even(£ ), odd(0)}. 
The formula 3Xeven(X) A odd(X) is false in this model. While the query <— 
even(X) , odd(X) is nonterminating under SLD, it fails finitely under well known 
proof procedures such as bottom-up evaluation after magic-set transformation 
or top-down methods enriched with tabulation such as OLDT |3l) and XSB . 
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In what follows, we give some results formalising the relationship between a 
program and its abstraction. First, we introduce some notational conventions. 
With CI a clause, Cl a denotes its abstraction; with P a set of clauses (a program), 
P a denotes its abstraction. J a is the Herbrand pre-interpretation of P a U Pj. 
Remark that J a has the same domain as J as the domain elements are the only 
functors in P" U P°. Ij denotes the interpretation which is the least Herbrand 
model of Pj. Finally, I a is the interpretation of P a U Pj corresponding to the 
interpretation / when I a = I U Ij, 

Theorem 1. Let I be an interpretation of P based on pre-interpretation J and 
I a the corresponding interpretation of P a U Pj . The interpretation I is a model 
of P U {false <- Q} iff I a is a model of P a U PJ U {false «- Q a }. 
Proof. 

Consider a slightly different clause transformation which replaces a term 
f (tl , . . . ,tn) by a fresh variable X and adds the equality f (tl , . . . ,tn) = X to 
the body of the clause. Repeat this transformation until all non variable terms are 
eliminated from argument positions in program predicates and from argument 
positions in terms of the equalities. The difference between the resulting clause 
CV and the abstracted clause Cl a is that CV has an equality f (XI, . . . ,Xn) = 
X where Cl a has a call p/(Xl, . . . ,Xn,X). 

This new transformation is equivalency preserving hence I |= C7 iff / |= CV. 

Given a variable assignment a, I a (f(Xl, . . . , Xn) = X) is true iff cr(X) = 
fj(a(Xl), a{Xn)). We also have that I%(p f (Xl, ...,Xn, X)) is true iff a{X) = 
fj(a(Xl), . . . , a(Xn)). Hence, ...,Xn)=X)) = J?(p/(X1, ...,Xn, X)) 

Also for program predicates, we have I a {p{Xl 1 . . . , Xn)) = I£(p(Xl, . . . , Xn)), 
hence / |= CV iff I a \= Cl a . As this holds for all clauses and for the query, the 
theorem follows. □ 

Abstract compilation is a simple variant of more general transformation to 
substitute predicate symbols by function symbols which is well known in logic, 
e.g. @. 

Corollary 1. Given a sound and complete proof procedure, the query <— Q a fails 
for the program P a U Pf iff there exists an interpretation I based on J such that 
I(Q) is false. 
Proof 

By Prop. 0, I(Q) is false iff LMj(P) |= false <- Q. 

By Theorem[l[ LMj(P) |= false «- Q iff LMj(P a ) U Ij \= false <- Q a . 
LMj(P a ) Ulj is the least Herbrand model of P a UPj, hence, given a sound and 
complete proof procedure, <— Q° fails iff LMj(P a ) Ulj \= false <— Q a iff I{Q) 
is false. □ 

4 The search for the right pre-interpretation 

To prove failure, the approach is to select a domain and a pre-interpretation and 
to show finite failure when executing the abstracted query with the abstracted 
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program. A straightforward way consists of selecting a domain and trying all 
pre-interpretations until one is found for which the query fails. If none exists, 
one can try again with a larger domain. However, for programs with a substantial 
number of function symbols and constants, this quickly results in a very large 
search space. Indeed, with a n-element domain, an m-ary functor has nS n ' 
possible pre-interpretations. 

Hence better is to consider Pj, the part defining the pre- interpretation, as 
unknown and the use a procedure which can guess the missing predicate defini- 
tions. Abduction Q is such a mechanism. In an abductive setting, given is a 
logic program P defining a subset D of its predicates, a set T of integrity con- 
straints in classical logic and some query Q. Abduction searches a definition A of 
the open, abducible predicates, i.e. those not defined by P such that PL) A f= Q 
and P U A \= T. For our problem, the defined predicates are those defined by 
P a (the set of abstracted clauses), the abducibles are pj/n + 1, the query is the 
abstracted query <— not Q a (we want a solution for which the query fails) and 
the integrity constraints are axioms restricting Pf/n + 1 to correspond to a pre- 
interpretation which is a total function, i.e. VXl . . . X n 3\Y.pf(Xi, . . . , X n , Y). 
Hence the problem is to find a A such that P a U Z\ ^ false <— Q and satisfies 
the integrity constraints. 

In a first experiment, we have used the general purpose abductive proce- 
dure SLDNFA jl6) to solve the problem. A first problem that we met was that 
SLDNFA looped on the abstract program due to non- acyclic recursion in it. 
To overcome this problem, the clauses defining the recursive predicates were 
transformed into integrity constraints. Some initial experiments showed the fea- 
sibility, but also the need for a dedicated procedure which allows to experiment 
with different control strategies. 

Abduction is complex in the general case due to the presence of variables 
in abductive calls and the interaction with negation as failure. We are only 
concerned with definite programs, that simplifies substantially the design of a 
dedicated procedure. Moreover, we know that the pre-interpretation of a functor 
f /n is a total function from D n to D. Hence, a complete pre-interpretation has 
exactly one fact p / (dl , . . . , dn , d) <— for every tuple (dl, . . . , dn) of domain ele- 
ments and d is also a domain element. As a consequence, our abductive procedure 
has only to "guess" among the domain elements for the value of d. So it becomes 
fairly simple to ensure correctness and completeness. A call p/(tl, . . . ,tn,t) 
needs to be resolved with all the facts p/ (dl , . . . ,dn,d) such that (dl, . . . , dn) 
unifies with (tl, . . . , tn). If some of these facts do not yet exist, they have to be 
abduced. To obtain an exhaustive search over all candidate abductive solutions, 
one has only to take care that all domain elements are in turn considered as 
candidate values for d. 

To overcome the problem of looping, our dedicated procedure makes use of 
tabulation. Tabulation ]3l| , |25| , [33[ avoids non termination in the case of DAT- 
ALOG programs. As we only consider definite programs, the concept is fairly 
simple. When a call p(tl, . . . ,tn) to a tabled predicate is selected in a goal, 
the goal is suspended and the query <— p(tl, . . . ,tn) is evaluated in isola- 
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tion of its goal. Eventually, evaluation of this new query leads to computed 

answer substitutions ai, 02, For each of these answers <Ji, an answer lemma 

p(tl, . . . ,tn)(7i <— is stored (if not the renaming of a previous answer) in the 
table associated with the call p(tl, . . . ,tn). The suspended goal is reactivated 
for each answer lemma and a resolution step is performed, using the answer 
lemma as program clause. If in another goal the atom p(sl , . . . , sn) is selected 
and the atom happens to be a renaming of p(tl, . . . ,tn), then no separate 
query for <— p(sl, . . . , sn) is launched. The goal is simply suspended and is 
reactivated for each answer lemma stored in the table associated with the query 
<— p(tl, . . . ,tn). 

As the abstract program has no functors apart from the 0-arity domain ele- 
ments, only a finite number of distinct calls can occur. Also, for each call, only 
a finite number of distinct answers can occur, hence termination is ensured. 

We prefer top-down evaluation with tabulation above bottom-up evaluation 
because top-down is goal directed. Our procedures use heuristics; these try to 
find those refutations which are short and use as few different components of the 
pre-interpretation as possible first. We find it more convenient to design such 
heuristics in the context of a top-down procedure. 

As a final remark, it is well possible that not all components of a pre- 
interpretation are needed to evaluate a particular abstract query. In such case, 
our dedicated procedure will not abduce the complete pre-interpretation. For the 
not abduced facts p/ (dl , . . . , dn , d) <— , any value d can be chosen. Adding them 
will neither modify the proof structure nor the outcome of the query evaluation. 

4.1 An abductive approach 

When experimenting with a dedicated abductive procedure, an early observa- 
tion concerned the tabulation mechanism. Typically, several table entries were 
created for the same predicate. Frequently, a "final" call occurred with a call pat- 
tern where all arguments are free variables. This final call subsumed all previous 
ones. Hence it is more efficient, when a call p(tl, . . . ,tn) occurs to a tabled 
predicate, to compute once and for all the answers to the most general query *— 
p(Xl, . . . ,Xn). Unification of the call p(tl, . . . ,tn) with the answer lemmas 
then selects the answers to the call which occurred. We also observed that it 
was preferable to table all program predicates, whether recursive or not. Again 
the sum of the costs of evaluating each separate call was larger than evaluating 
once the most general call. We adopted these strategies in all our systematic 
experiments and it is hard wired in the description of the procedure below. 

We need some notational conventions to describe the procedure. The state 
of the computation is represented as a set of clauses. The symbol CI represents 
a clause and the symbol Cls represents a set of clauses. Clauses that are a 
renaming of each other arc considered equal. As and Bs represent sequences of 
atoms. A clause is represented as H <— As in which the head H is an atom (or 
false), s and t (s and t) denote a term (a vector of terms); d (d) denotes a 
domain element (a vector of domain elements). 
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The procedure (Fig. |J) is described as a set of inference rules which extend the 
state with new clauses. Given a query <— As, the initial state of the derivation is 
represented as {false <— As}, p/n refers to a predicate of the original program; 
calls to such predicates are tabled. The tabulation has an implicit representation: 
a predicate is tabled when the clauses defining it occur in the state; answer 
lemmas for p/n occur in the state as facts p(s)<— (when all calls in the body of 
a clause defining p/n are solved, a fact is left), abduce/(7) is the notation we 
use for a call to an abducible predicate p/(i) of the pre-interpretation. These 
calls are not tabled. A clause H <— Lookup (p (i) ), As is a suspended clause, 
waiting for answers of the call p (i) . For simplicity of representation we assume 
the computation rule always select the leftmost atom in the body of a clause. 



Nr 


State 


Condition 


New State 


la 


{H «- p«),As} 
U Cls 


not_tabled(p) 


{H <- Lookup (p(t)), As} 

U {Cl| CI is a clause defining p} 

U Cls 


lb 


{H «- p«),As} 
U Cls 


tabled(p) 


{H «- Lookup (p(t)), As} 
U Cls 


2 


Cls which contains 
p(s)<— and 

H «— Lookup (p (i) ), As 


unify (s,t) 


{(H «- As)mgu(t,s)} 
U Cls 


3 


Cls which contains 
abduc e / (d) <— and 
H <— abduce/ (7) ,As 


unify (d,t) 


{(H <- As)mgu(i.d)} 
U Cls 


4 


Cls which contains 
H «— abduce/ (t ,t) , As 


3 d: (unify(7,d) and V d: 
abduce/ (d,d)^- ^ Cls) 


{abduce/ (d,d)<— }U Cls 
where d is a domain element 


5 


Cls 


falser G Cls 


failure 



Fig. 1. Inference rules of abductive procedure. 



We assume a fixed number of domain elements. Rules 1 to 3 describe the exe- 
cution under tabling. Given a complete pre-interpretation, these rules will derive 
all consequences. Rule 1 handles a call to a tabled predicate. The clauses defining 
it are added to the state when it is the first call to the predicate (la). Whether 
the first call or not, the clause is suspended (the selected call is wrapped inside 
Lookup). Rule 2 uses an answer lemma to derive a new clause from a suspended 
one and rule 3 uses a fact from the pre-interpretation to derive a new clause 
(here and elsewhere, the necessary renaming is omitted to simplify the presenta- 
tion). Rule 4 performs abduction on demand: if rule 3 needs a component of the 
pre-interpretation which is not yet defined, then rule 4 adds such a component to 
the state. The value assigned to the component is chosen from the domain. This 
rule is non-deterministic; it derives one new state for each domain element. Rule 
5 detects that the query has a solution, i.e. that the (partial) pre-interpretation 
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being considered does not meet the requirement. Hence it replaces the state by 
the final state failure. 

A solution is found when a final state is reached that is different from failure, 
(no new clauses can be derived). Although the pre-interpretation can still be 
partial, any extension to a complete pre-interpretation is the basis for a model 
of the program in which the query fails. 

Correctness and termination. Assuming the pre-interpretation (the set of facts 
abduce /(d)) is complete, rules 2 and 3 perform unit resolution on a set of clauses 
consisting of the query and the program clauses. Rule 1 is a heuristic which delays 
resolution steps on program clauses until it is certain they can contribute in the 
derivation of the empty clause from the query. Unit resolution is known to be 
a correct and complete proof procedure for definite clauses; moreover, as the 
Herbrand universe of the program is the finite domain of the pre-interpretation, 
only a finite number of clauses can be derived and termination is ensured (for a 
fixed pre-interpretation) . 

However, the computation start with an empty pre-interpretation. The role 
of rule 4 is to create a component of the pre-interpretation as soon as rule 3 
can make use of it. This does not affect correctness. As rule 4 can only choose 
among a finite number of domain elements, and can only be applied a finite 
number of times in a particular derivation, overall termination remains ensured. 
Rule 5 plays the role of a filter, it stops the derivation when it detects that the 
query has a solution. 

Control. In our implementation, the choice offered by rule 4 is implemented 
through enumeration and backtracking. When applying rule 4, a choice point 
is created which keeps track of the untried domain elements. When rule 5 is 
activated, it triggers backtracking to the last choice point where the next value 
is tried. If none, backtracking continues to the previous choice point. The overall 
computation fails as soon as backtracking occurs and no alternative is left in any 
choice point. 

The order in which rules are applied can have a big impact on the size of the 
search space. Obviously, rule 5, which triggers backtracking should be activated 
as soon as a clause (falser) is inferred. Also, the creation of a new choice 
point should be delayed as long as possible, i.e. one should not create another 
choice point if the already abduced facts allow to infer the clause (false*—). A 
simple implementation almost realising this strategy selects the leftmost literal 
in a clause body and applies the applicable rule, delaying the processing of the 
clause if the selected literal is an abducible for which not all instances are already 
abduced. Once no other rules are applicable, rule 4 is applied on one of the de- 
layed clauses. Experiments showed that more complex strategies — causing more 
meta-interpretation overhead — which do not necessarily select the leftmost lit- 
eral tend to perform better. In processing new clauses, the system reported in 
section ^ has a preference for applying a look-up step (rule 2). If none is appli- 
cable it attempts to apply rule 3 on an abducible literal for which all matching 
components of the pre-interpretation are defined (so that all resolvents can be 
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computed at once and the original clause can be removed) . If the clause has no 
such abducible, it is delayed. Once all clauses are delayed, it gives preference to 
the application of rule 1 on a clause with only calls to program predicates. If no 
such clause is delayed, rule 4 is applied on a delayed clause. A heuristic selects 
the delayed clause containing the abducible which needs the least number of yet 
to be abduced instances to allow for the application of rule 3 and abduces those 
instances. 

4.2 A constraint approach 

We use a more compact notation in this section. We write abduce (f (a) ,X) 
instead of abduce Q (Y), abduce/ (Y,X) With this notation, the abstraction of 
an atom p (f (a) ) becomes abduce (f(a),X), p(X). 

A weakness of the abductive approach can be illustrated with the follow- 
ing example: assume that the pre-interpretation of a functor f/1 has already 
been abduced as abduce(f (dl) ,dl) and abduce(f (d2) ,d2) and that a clause 
false <— abduce(f (g(h(a))) ,X) , abduce (g(h (a) ) ,X) is derived. The pre- 
interpretation of f/1 is such that for all domain elements d, f(d) = d, hence, 
whatever the pre-interpretation for a/0, h/1, and g/1, falser will be de- 
rived. The abductive system will abduce pre-interpretations for a/0, h/1, and 
g/1, and will then discover the failure. It will exhaustively enumerate all pre- 
interpretations for a/0 , h/1, and g/ 1 before backtracking to the pre-interpretation 
of f/1. 

A constraint based approach can to a large extent avoid such problems. We 
consider the abducibles as constraints and use a special purpose constraint solver 
which checks the existence of a pre-interpretation which satisfies all constraints. 
In the above example, if the pre-interpretation of f/1 is constrained to the shown 
one and the clause false <— abduce (f (g(h(a) )) ,X) , abduce (g(h(a) ) ,X) is 
derived, then the solver detects the inconsistency and triggers backtracking. 

This approach makes it necessary to reformulate our abductive system. The 
major difference is with respect to the tabulation. The answers to a tabled 
predicate are no more simple facts but constrained facts (of the form p(A) 
<— abduce (...), . . . , abduce ( . . . ) ). A problem is that one can have an in- 
finite number of syntactically different answers. However, with a finite domain 
and a fixed pre-interpretation, the set of answers (its model) is finite. So it must 
be possible to add constraints which enforce the finiteness. Before presenting the 
formal system, we illustrate the main ideas with the even/odd example. 

Example 3. Even/odd 

The program is as follows: 

even(X) «— abduce(0,X). 

even(Y) <- abduce (s (X) ,Y) , odd(X) . 

odd(Y) «- abduce (s (X) ,Y) , even(X) . 

The execution is shown in Fig. ||. We represent the state of the derivation 
by three components, the set of clauses, the set of answers and the constraint 
store which holds the set of constraints (as before, the component with the fixed 
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abstract program is left out). stands for the empty set. Lookup is abbreviated 
as L, and false, abduce, even and odd respectively as /, ab, e and o. Finally, sb is 
the abbreviation of subsumed. 

0. In the initial state the only clause is the query. The leftmost atom is selected; 
the two clauses defining even/1 arc added to the set of clauses and the 
original clause suspends, waiting for answers from even/1. 

1. The second clause, a constrained fact, is selected. A choice point is created. 

The first alternative adds the constraint subsumed (even (X) <— abduce (0,X) ,0) 
to the constraint store in an attempt to have the new fact subsumed by 
the existing ones. Whatever the pre-interpretation, abduce (0,d) is true for 
some domain element d and even(d) is an answer which is not subsumed 
by previous answers as there are none. Hence the constraint is false and the 
second and last alternative is taken: the fact is added to the set of answers 
and the constraint not (subsumed(even(X) <— abduce (0, X) ,0)) is added 
to the store. The constraint is equivalent to true, hence the store remains 
empty. 

2. The call odd(X) is selected in the second clause; the clause defining odd/1 is 

added. In the (omitted) new state, this clause is chosen and its atom even(X) 
is selected. As even/1 has been called before, no new clauses are added. 

4. This step and the next one perform resolution between the answer and sus- 
pended first and last clause. In one of the new clauses, abduce (s(X) ,Y) , 
abduce(0,X) is abbreviated as abduce(s(0) ,Y). 

6. One step selects the atom odd(X) in the second clause and suspends the 
clause. Another step selects the last clause which is a constrained answer. 
We have a choice point; as there are no previous answers for odd/1, the 
subsumption constraint leads again to an inconsistent store and the not- 
subsumption constraint is again equivalent to true. Hence, the net effect is 
that the clause is added to the answers. 

8. The next two steps perform resolution between the new answer and the second 
and third clause, resulting in two new clauses. 

10. The third clause is a constraint, consistent with the store, and is added 
to it. The constraint says that and s(0) have to be different under the 
pre-interpretation. 

11. The fourth clause is an answer for even/1. A choice point is created. The first 
alternative creates the constraint that the new answer is subsumed by the ex- 
isting answers: subsumed (even (Y) <— abduce (s (s (0) ) ,Y) , {even(X) <— 
abduce (0,X)}). It is consistent with the constraint store (e.g. with po = £ 
p s {£) = O Ps{0) = £, subsumed (even (£) , {even(£)}) is true), hence 
it is added to it and the answer clause is dropped. The new constraint says 
that and s(s(0)) have to be equal under the pre-interpretation. 

12. No new clauses can be derived. The store is consistent, hence there exists a 
pre-interpretation satisfying it (e.g. abduce(0,dl) , abduce(s(dl) ,d2) and 
abduce (s (d2) , dl) ) and <— even(X) , odd(X) is false in the least model 
based on a pre-interpretation consistent with the constraint store. 
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Clauses 


Answers 


Constraint Store 





/ <- e(X),o(X) 








1 


f ^ L(e(X)),o(X) 
e(X) <- a6(0,X) 
e(y)^a6( S (X),y),o(X) 








2 


/^L(e(X)),o(X) 
e(y)^ a fe( s (X),y), (X) 


e(X) <- a6(0,X) 





4 


/ <- L(e(X)),o(X) 

e(y) <- ab(s(X),Y),L(o(X)) 

o(Y) <- ab(s(X),y),L(e(X)) 


e(X) <- a6(0,X) 





6 


/«-L(e(X)),opO 

/ <- a&(0,X),o(X) 

e(y) <- ab(s(X),Y),L(o(X)) 

o(Y) +-ab(s(X),Y),L(e(X)) 

o(Y) «- ab(s(0),Y) 


e(X) <- a6(0,X) 





8 


f ^ L(e(X)),o(X) 
f ^ ab{0,X),L(o(X)) 
e(Y) <- ab(s{X),Y),L(o{X)) 
o(Y) <- a6(s(X),y),L(e(X)) 


e(X) <- a6(0,X) 
o(y) <- ab(s(Q),Y) 
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/«-L(e(X)),opO 

/^a&(0,X),L(o(X)) 

/ <- a6(0,X),a6(s(0),X) 

e(y) <- a6(s(X),y),L(o(X)) 

e(Y)«-aft(«(*(0)),y) 

o(y) <- a&(s(X),Y),L(e(X)) 


e(X) <- a6(0,X) 
o(y) <- ab(s(0),y) 
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/^L(e(X)),o(X) 

/^a6(0,X),L(o(X)) 

e(y) <- ab(s(X),Y),L(o{X)) 

e(Y)^ab(s(s(0))),Y), 

o(Y) <- a6(s(X),y),L(e(X)) 


e(X) <- a6(0,X) 
o(Y)^ab(s(0),Y), 


/ <- a6(0,X),o&(s(0),X) 
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/<-L(e(X)),o(X) 
/^a6(0,X),L(o(X)) 
e(y) <- a6(s(X),y),L(o(X)) 
o{Y) <- afe(s(X),y),L(e(X)) 


e{X) <- a6(0,X) 

(y) <- ab( s (o),y) 


/ <- a6(0,X),ob(s(0),X) 
sfe(e(y) <- ab(s(s(0)),y), 
{e(X)^a6(0,X)» 



Fig. 2. Constraint based execution for even-odd program. 
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The inference rules of the constraint procedure are shown in Fig. g. A state, 
consisting of clauses, answers and a constraint store is represented as Cls O 
Answ O Store. The symbols As and Bs stand for any sequence of atoms, while 
Abds stands for a sequence consisting solely of abduce atoms. Store stands for 
a conjunction (set) of constraints, Answ for a set of answers (constrained facts) 
and AnsWp for the subset of answers about predicate p . The initial state is given 
by false <— As O O where <— As is the query. subs(x,y) is an abbrevi- 
ation for subsumed(a;, y) and not_subs(x, y) for not(subsumed(a;, y))\ inconst(:r) 
is an abbreviation for inconsistent (x). Remember that arguments of program 
predicates of the abstracted program are always variables. 



Nr 


State 


Condition 


New State 


la 


{H *- p(t) ,As} U Cls 
O Answ O Store 


not_tabled(p) 


{H <- Lookup (p Q) ), As} U Cls 
U {Cl| CI is a clause defining p} 
O Answ O Store 


lb 


{H <- p(t) ,As} U Cls 
O Answ O Store 


tabled (p) 


{H <- Lookup (p Q) ), As} U Cls 

O Answ O Store 


2 


Cls O Answ O Store 

p(s) <— Abds 6 Answ 

H <— Lookup (p (t ) ), As G Cls 


unify (sj) 


{(H <- Abds, As)mgu(i.s)} U Cls 

O Answ O Store 


3 


{false <- Abds} U Cls 

O Answ O Store 




Cls O Answ 

O {false <- Abds} U Store 


4 


Cls O Answ O Store 


inconst(Store) 


failure 


5a 


{pQO «- Abds} U Cls 

O Answ O Store 




Cls O Answ O 

{subs(p(A) <— Abds,Answ p )} 
U Store 


5b 


{p(JO <- Abds} U Cls 

O Answ O Store 




Cls O {p(X) <- Abds} U Answ O 
{not_subs(p(JO <— Abds,AnsWp)} 
U Store 



Fig. 3. Inference rules of constraint procedure. 



Rules la, lb and 2 are as before. Rule 3 adds a new constraint to the con- 
straint store. Rule 4 stops the derivation with failure when the store is incon- 
sistent. Rule 5 processes a new answer lemma. It is a non deterministic rule. 
5a handles the alternative where it is enforced that the new answer lemma is 
subsumed by the existing answers (Answ p ). The lemma is deleted and the sub- 
sumption constraint is added to the store. 5b handles the case where it is enforced 
that the answer is not subsumed by the previous one. It is added to the answers 
and the negation of the subsumption constraint is added to the store. 

Correctness and termination. This proof procedure preserves the properties 
about correctness and completeness of the abductive one. In terms of the infer- 
ences it makes, the difference is that it uses constrained facts {p(A) <— Abds} 
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instead of facts pit) and that it delegates the processing of the calls to the 
abducibles to the constraint solver. Hence the inferences it makes are correct 
and completeness is preserved. Termination remains ensured if the number of 
answers for each program predicate remains finite and consistency checking is 
terminating. A not (subsumed ( . . .)) constraint stating that the new answer is 
not subsumed by the previous ones is added to the constraint store each time that 
a new answer is added to the answer set. With n the size of the domain, the num- 
ber of distinct atoms in the model of a m-ary predicate is limited to m™ . Hence, 
if more than m n answers are added for the same predicate, an inconsistent store 
will be reached. The consistency check has to verify that a pre-interpretation ex- 
ists which satisfies all constraints. As the number of different pre-interpretations 
is finite and the number of constraints is finite, its termination can be ensured. 

Control and consistency checking. The best way to handle the choice offered by 
rule 5 is through enumeration and backtracking where preference is given to rule 
5a as it leads to the smallest answer set, hence to the shortest derivation. 

In the abductive algorithm the choice implies a commitment for a particular 
component of the pre-interpretation. In this algorithm the choice does not imply 
such a direct commitment. However, adding a non redundant constraint reduces 
the number of pre-interpretations that satisfy all constraints; it is a kind of 
indirect commitment. 

The solver which has to verify the consistency plays a crucial role. We have 
explored two alternatives. The first approach (abductive solver) abduces the 
components of the pre-interpretation as needed during the verification of the 
constraints. Backtracking is triggered when a constraint is violated. (This is sim- 
ilar to the strategy in the abductive algorithm, but at the level of the constraint 
checking.) Note that the constraint checking can be incremental; each time a 
new constraint is added, the search starts from the partial pre-interpretation 
satisfying all previous constraints. 

The second approach (finite domain solver) encodes the search for a pre- 
interpretation as a finite domain problem. A finite domain variable ranging over 
the domain of the pre-interpretation is associated with the terms occurring in the 
constraints and boolean variables are used to express the equality between the 
pre-interpretation of different terms. We sketch the encoding using the even-odd 
example. Let T> be the domain of the pre-interpretation. A finite domain vari- 
able D t ranging over V represents the pre-interpretation of a term t and boolean 
variables B tl= t 2 indicates whether or not the terms t\ and ti have the same 
pre-interpretation. Such boolean variables are linked to the domain variables 
through definitions B tl= t 2 «-> D tl = D t2 which ensure propagation of new in- 
formation. Consider the constraint false <— abduce (0 ,X) , abduce(s(0) ,X). 
To handle it we introduce finite domain variables Dq and D s t y We can trans- 
late the constraint to false <— Da = X, D s rm = X or, after elimination of X: 
false «— Bq=s(o) or Bq =s /q\ = 0. To express the connection between and 
s(0), we add for all d 6 V the constraint B 0= d < S s m)= s (d)Q Note that this im- 

1 Or equivalently B =d -> B s (o)=«(<Q- 
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plies the creation of finite domain variables D s ^ d y Now consider the constraint 
subsumed(even(Y) «— abduce (s (s (0) ) ,Y) , {even(X) <— abduce (0, X) ,}). It 

contains a new term s(s(0)), so a domain variable -D s (s(o)) is created and it is 
linked with -D s (o) by adding for all d £ T> the constraint B s iq\—^ < -B s (s(o))=s(d)- 
The subsumption constraint is expressed as -B s (s(o))=o — 1- (Its negation is rep- 
resented as -B s (s(o))=o = 0-) This translation ensures that all choices which are 
made are immediately propagated. 

4.3 Failure analysis and symmetries 

Consider the abductive system and the constraint system with the abductive 
solver. Chronological backtracking is triggered by the derivation of a f alse<— 
clause. However, not all the components of the pre-interpretation abduced so 
far necessarily have contributed to its derivation. So, chronological backtrack- 
ing may result in thrashing. The amount of backtracking can be substantially 
reduced. In the context of the abductive system, a simple approach is to as- 
sociate with each clause the set of abductive facts used in its derivation. In 
each derivation step, the set associated with the new clause is the union of 
the sets of the two parent clauses. When abducing a new fact, the associ- 
ated set is the abduced fact itself. In this way, when falser is derived, one 
obtains an associated conflict set identifying the abduced facts used in the 
derivation of the clause. Backtracking is then directed to the last abduced 
fact in the set. To support also the derivation of secondary conflict sets, the 
technique of intelligent backtracking |8| is used. With S\ A {abduce f(s, dl)} a 
conflict set which backtracks to the generator of abduce / (s, _), the conflict set 
Si A {abduce f(s, dl)} is stored with the generator of this abductive component. 
If it happens that all possible assignments for that component get rejected, then 
one obtains a set of conflicts which can be formalised as: Si A {abduce /(s, dl)} — ► 
false, . . . , S n A {abduce f(s,dn)} — > false. Applying hyper-resolution on these 
clauses and abduce /(s, dl) V. . . V abduce /(s, dn), which expresses that there must 
be a domain element assigned to the term /(s), one obtains the secondary con- 
flict Si A . . . A S n — * false and one can backtrack to the most recent abducible 
in that set. Note that a trade-off between the time lost in rediscovering the 
same conflict set and the time and space lost in storing and checking previous 
conflict sets has to be made. It is done by storing the conflict set with the gen- 
erator of the most recent abduced fact present in the conflict set. This approach 
avoids inefficiencies in accessing relevant conflict sets. However, if, due to another 
conflict, one backtracks beyond that generator, then the information about the 
conflicts stored with it is lost. Notwithstanding that this conflict set still can 
have potential use for future pruning. 

The conflict sets obtained in this way are not optimal. In fact, as Peltier 
[ p4| points out, it is not feasible to compute optimal conflict sets: if there is no 
model for the given domain size, the optimal conflict set is empty. However fur- 
ther improvements are feasible. For example, consider the clause false <— tl 
= t2, Y = t3. It leads to the clause falser whenever the pre-interpretations 
of tl and t2 are equal. However, our approach will also include the components 
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used in computing the pre-interpretation of t3. Improved failure analysis could 
be achieved by applying substitutions. Indeed for any expression E, the (pre-) 
interpretation of E, X — t for which X does not occur in t is equal to the (pre-) 
interpretation of E{X/t). The abductive constraint solver uses this rule to sim- 
plify false <— Abds constraints. The abductive procedure does not use it as it 
performs abstract compilation as a pre-processing step and the integration of 
this optimisation would require a complete redesign of the system (one should 
keep track of the used components of the pre-interpretation at the level of indi- 
vidual terms instead of at the clause level). The abductive constraint solver also 
sharpens the conflict set of violated subsumption constraints: it selects an ar- 
gument for which the subsumption constraint is violated and returns as conflict 
set the components used in evaluating that argument. 

As noted by Peltier p4| ], applying a permutation of the domain on a par- 
tial (pre-) interpretation yields an isomorphic (pre-) interpretation. It can be 
extended into a model iff the original one can be extended in a model. In 
particular, if 5 is a conflict set, so is S{di/d[, . . . , d n /d' n } with {d' 1: . . . , d' n } 
a permutation of {d\, . . . ,d„}. There is again a trade-off between the time 
lost in rediscovering an isomorphic conflict and in storing and using such con- 
flicts to prune the search. We follow what we understand to be the approach 
in j24|: when a conflict set is found and the system backtracks and considers 
the next candidate, it is checked whether that candidate has a subset which 
is isomorphic to the conflict set which triggered the backtracking. For exam- 
ple, assume a conflict {abducef(dl, dl), abduce a (d2)} is derived and the enu- 
meration modifies the second component in abduce a (d3). The new partial pre- 
interpretation contains the set {abducef(dl, dl), abduce a (d3)} which is isomor- 
phic to the original one under the permutation {d3/d2, d2/d3} and is rejected. 
Note that {abducef(d2, d2), abduce a (dl)} is also isomorphic to the original con- 
flict set. While it can be part of a candidate still to be explored in the search 
space, this conflict set is not stored for future pruning. 



5 Alternative approaches 

Model generation. The logic program and the clause false <— query can be 
considered as a logical theory. A model of this theory is a proof that the query 
fails. There exist general purpose tools for generating models of logical theories. 



FINDER ||27 28 1, written in C, is such a tool; it takes as input a set of clauses in 
a many-sorted first order language, together with specifications of finite cardi- 
nalities of the domains for the sorts, and generates interpretations on the given 
domains which satisfy all the clauses p7| . A basic difference with our approach 
is that it not only enumerates the pre-interpretation but also the interpretation 
(the mapping from the atoms to true or false). Also, it is not goal directed; the 
system checks whether all ground instances of all clauses are true in the candidate 
interpretation. If a clause instance is found which is false, then the components 
of the interpretation which have been used in the evaluation make up what we 
called the conflict set and are used to direct the search (using hyper-resolution 
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as described in Section 4.3 to derive secondary conflicts). Another difference is 
that FINDER stores conflict sets permanently (unless they are too big) and uses 
elaborate algorithms to exploit them efficiently in pruning the search. FINDER 
reports a model when it discovers an interpretation which is true for all clause 
instances. FINDER uses a typed language and can only handle binary predi- 
cates and functors. To overcome that restriction we used a special encoding for 
predicates and functors of higher arity. For example, with n the size of domain 
D and //3 a ternary functor, we introduce a domain with cardinality n X n, 
a binary functor fh : D x D — > £)/,, and a binary functor /& : Dh x D — > D. 
Then we replace every occurrence 7(^1,^2,^3) by /b(//s(ii, £2)5 £3)- In addition 
//j/2 should have a different value for each different input and FINDER should 
not backtrack over the choices made for /h,/2. This can be achieved with declar- 
ing fh injective and ensuring that the choice points for //,/2 are created first. 
[ p8| states that the order in which functors are declared is important and that 
the first declared ones change least rapidly during the backtracking. The first 
results we obtained with FINDER || were rather poor. The results reported in 
the current paper are much better. They are obtained with the ordering which 
places the special functor fh first, then the constants, then the other functors 
and finally the predicates. 

In a recent paper, Peltier [Q presents a new system FMCatinf which claims 
to do a better failure analysis than FINDER and SEM and exploits sym- 
metries to further improve the pruning of the search space. As with other finite 
model builders for first order logic, it enumerates the full interpretation, not 
only the pre-interpretation. Our understanding is that the concept of covering 
refutation used to prune the search is very similar to our use of intelligent back- 
tracking (which we added to our system described in |^| after we learned about 
the work of Peltier) . 



Regular approximations. Within the context of program analysis, the most obvi- 
ous approach to prove failure is to add a clause shouldf ail (A) <— query (A) 
and to use one or another kind of type inference to show that the success-set of 
shouldf ail (A) is empty. A typical representative of such systems is described 
in [|Tg|| ; it computes a regular approximation of the program. Roughly speaking, 
for each argument of each predicate, the values it can take in the success-setQ 
are approximated by a type (a canonical unary logic program). Failure of the 
query is proven if the types of shouldf ail (A) are empty. Also set based analy- 
sis p0| ca n be used to approximate the success-set. Set-based analysis originates 
from ]23| ; it was then studied (improved and implemented) in Q . The tool that 
we use is a composition of inference of a directional type (as in JfO| , based on 
set-based analysis) with the theorem prover SPASS p4j . 

Program specialisation. One could also employ program transformation, and 
more specifically program specialisation techniques to prove failure of the query. 
If for the given query, the program can be specialised in the empty program, 

2 The set of ground atoms which are iogicai consequences of the program. 
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then the query trivially fails. A technique which has almost the same power as 
transformations based on the fold/unfold approach is conjunctive partial deduc- 
tion 22 14|]. By specialising conjunctions of atoms instead of single atoms, it can 
achieve substantially better results than other specialisers. For example it can 
specialise the even/odd program into the empty program for our example query. 



6 Experiments 

Table |l| gives details about the benchmarks^. Besides the name, the table gives 
the number of clauses (without the query), the number of predicates, the size 
of the domain, the size of a pre-interpretation, the number of different pre- 
interpretations (including symmetric ones), the size of an interpretation (the 
number of atoms to be mapped to true or false), and the number of different 
interpretations (for a fixed pre-interpretation) . 



name 


# clauses 


#pred 


size(dom) 


size(pre) 


#pre 


size(int) 


#int/pre 


odd_even 


3 


2 


2 


3 


2 3 


4 


2 4 


wicked_oe 


4 


3 


2 


10 


2 io 


10 


2 io 


appendlast 


4 


2 


3 


12 


3 V2 


13 


2 Vi 


reverselast 


4 


2 


3 


12 


3 12 


13 


2 13 


nreverselast 


6 


3 


5 


28 


5 28 


150 


2 150 


schedule 


12 


6 


3 


12 


3 12 


24 


2 24 


multiseto 


7 


1 


2 


7 


2 V 


4 


2 4 


multisetl 


4 


2 


2 


7 


2 7 


12 


2 12 


blockpair2o 


15 


3 


2 


19 


2 iy 


12 


2 ia 


blockpair3o 


15 


3 


2 


36 


2 36 


20 


2 20 


blockpair21 


14 


5 


2 


19 


2 19 


32 


2 32 


blockpair31 


14 


5 


2 


36 


2 36 


40 


2 40 


blocksol 


14 


5 


2 


19 


2 19 


32 


2 32 


BOO019-1 


4 


1 


3 


32 


3 32 


9 


1 



Table 1. Properties of benchmark programs 



odcLeven is a trivial example about even and odd numbers. wickecLoe is an 
extension which adds a call to each clause and 4 functors which are irrelevant for 
success or failure. It allows us to see whether failure analysis is accurate enough 
to achieve the same level of pruning as in odcLeven. appendlast , reverselast , 
nreverselast and schedule are small but hard examples. On one hand, they 
illustrate the use of integrity constraints to express program properties; on the 
other hand, they have circulated as challenging problems for program specialis- 
ers which should be able to specialise them into the empty program. The query 
for appendlast expresses the integrity constraint that appending a list ending 

3 The code is available at frittp://www. cs.kuleuven.ac.be/~henkv/prc 
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in a cannot result in a list ending in a b. The query for reverselast expresses 
that reversing a list with the accumulating parameter initialised as [a] cannot 
result in a list ending in a b. The query for nreverselast expresses naive reverse 
applied on a list beginning with an a cannot result in a list ending in a b. Fi- 
nally, the schedule program is a program that attempts to transpose successive 
positions in a list of elements until a configuration is reached with two successive 
c elements. The query expresses the integrity constraint that such configuration 
cannot be reached from a configuration consisting of one c followed by one or 
more n. multiseto and multisetl are programs to check the equivalence of two 
multisets. While the first uses a binary operator "o" to build sets, the second 
uses a list representation and auxiliary predicates to manipulate the list. The 
others are typical examples from a large set of planning problems reasoning on 
multisets of resources. The first two use the "o" representation for the multiset, 
the next two the "1" (list) representation. blockpair2o and blockpair21 omit 
the for success or failure irrelevant argument for collecting the plan (and have 
6 functors less), blocksol is there to show what happens when the query does 
not fail. It uses the list representation and also omits the argument collecting 
the plan. Finally, B00019-1 is an axiomatisation of a ternary boolean algebra, 
a typical problem from the theorem proving community taken from the TPTP 
library |2!|). Its only predicate is equality, whose interpretation can be fixed to 
the identity (so the number of different interpretations is only 1 instead of 2 9 ). 

The abductive system AB uses the control as described in Section [4.l| and is 
augmented with the intelligent backtracking and symmetry checking as described 



in Section 4.2 . The constraint system gives lowest priority to rule 5 which create 
a choice point. Rule 4 which checks for consistency of the constraints is activated 
each time a new constraint is generated. The system with the abductive solver 
(ABCS) also uses intelligent backtracking and is able to derive more accurate 
conflict sets than AB. The system with the finite domain solver (FDCS) does 
not apply intelligent backtracking as this is difficult to integrate with the stan- 
dard pruning techniques of finite domain solvers p2f . Both constraint systems 
eliminate only the most obvious symmetry in the search space (when starting 
the enumeration with abduce a (X) they will consider only one domain value for 
X). 

The abductive systems are implemented in Prolog. The queries have been 
executed with MasterProlog on a SUN spare Ultra-2. The constraint system 
FDCS is also written in Prolog, uses the SICSTUS finite domain solver and 
was running under SICSTUS Prolog |50) on the same machine. ABCS was also 
running under SICSTUS Prolog. FINDER is implemented in C and was also 
running on a SUN spare Ultra-2. Regular approximations (RA) were computed 
with a system due to John Gallagher, conjunctive partial deduction (CPD) with 
a system due to Michael Leuschel. Witold Charatonik was so kind to run our 
examples on his tool for set based analysis (SBA) described in Section |[ Finally, 
Nicolas Peltier was so kind to run our examples on the FMCatinf system pi| 
under a SUN4 ELC. 
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Table Q gives the times for the various systems. The times are in seconds, 
unless followed by H, in which case it is in hours. The notation > iH means no 
solution was found after x hours; M means out of memory. For CPD, RA and 
SBA, we do not give times as these systems do not perform an exhaustive search 
but a standard analysis of the given program, yes means failure was proven. As 
blocksol does not fail, it was not run on these systems. 

Table | gives the number of backtracks. For the constraint systems, two 
numbers are given, ^bckt is the number of backtracks inside the solver, i.e. 
those with respect to the pre-interpretation, #Tbckt is the number with respect 
to the choices made regarding tabling. 



name 


AB 


FDCS 


ABCS 


FINDER 


FMC 


CPD 


RA 


SBA 


odcLeven 


0.01 


0.00 


0.00 


0.02 


0.00 


yes 


yes 


yes 


wicked_oe 


0.07 


0.00 


0.00 


0.02 


0.01 


yes 


yes 


yes 


appendlast 


0.53 


0.45 


0.09 


0.17 


45.21 


yes 


no 


yes 


reverselast 


0.38 


3.70 


0.94 


0.17 


10.79 


no 


no 


yes 


nreverselast 


5.87H 


>19H 


>19H 


>16.5H 


>900 


yes 


no 


no 


schedule 


0.10 


0.31 


0.07 


0.03 


0.15 


no 


no 


yes 


multiseto 


0.04 


0.04 


0.02 


0.02 


0.02 


no 


yes 


yes 


multisetl 


0.01 


0.06 


0.03 


0.02 


0.08 


yes 


no 


yes 


blockpair2o 


1.83 


0.38 


0.11 


0.08 


7.31 


no 


no 


no 


blockpair3o 


7.60 


0.42 


0.14 


0.18 


>900 


no 


no 


no 


blockpair21 


2.83 


2.36 


1.17 


0.05 


204.9 


no 


no 


no 


blockpair31 


29.24 


2.49 


1.34 


0.12 


M 


no 


no 


no 


blocksol 


200.78 


7.7H 


2558.58 


1896.3 


>900 








BOO019-1 


1.20 


4.34 


0.14 


0.03 


0.06 


no 


no 


no 



Table 2. Times. 



6.1 Discussion 

One should refrain from comparing results for individual examples. A different 
order over the choice points can give a very different result. This is definitely 
so for FINDER, which imposes an almost static ordering over the choice points. 
The order used in (|] was giving much worse results. The abductive system 
AB determines the order dynamically. Still, a small change in the heuristics for 
selecting the next rule application can result in a different order over the choice 
points and in substantially different results. For example, a variant of the AB 
system solved blockpair31 in 2.60s with 18 backtracks (but was doing worse 
when considering the whole benchmark suite). 

The effects of pruning based on symmetries in the AB system is not reported 
in the tables. Of the problems with 2 element domains, it triggers only one 
pruning step in blocksol which has to search the whole solution space. It causes 
one pruning step in each of the problems with 3 element domains, but makes the 



20 



name 


AB 


FDCS 


ABCS 


FINDER 


FMC 




#bcktr 


fp DCKtr 


fp 1 DCKtr 


TP DCKtr 


fp 1 DCKtr 


#bcktr 


#bcktr 


fin H pirpTi 


4 














I 


3 


VV 1 L r\c IT _L> fcj 




U 


U 


U 


U 


Q 
O 




CL IJ l-f \L'lL ± CX i J Li 


43 




i 

_l 




i 

_l 


618 


110019 


reverselast 


30 


68 


2 


303 


2 


614 


23445 


nreverselast 


190170 


? 


? 


? 


? 


> 5.10 7 


? 


schedule 


24 


13 


1 


106 


1 


37 


497 


multiseto 


10 


7 





30 








104 


multisetl 


3 


6 


1 


21 


1 


12 


469 


blockpair2o 


17 


25 





49 





262 


5567 


blockpair3o 


56 


25 





51 





879 


? 


blockpair21 


28 


3943 


2 


2733 


2 


68 


91404 


blockpair31 


130 


4009 


2 


2737 


2 


366 


? 


blocksol 


3615 


1396146 


385 


1970544 


169 


4007523 


? 


BOO019-1 


72 


4 





34 





14 


33 



Table 3. Amount of backtracking. 



difference on nreverselast where a 5 element domain is needed to construct a 
model. There, it causes 120 pruning steps in the search space of the AB system. 

Comparing the twin problems odd_even and wicked_oe, blockpair2o and 
blockpair3o, blockpair21 and blockpair31, we observe that FDCS with the 
finite domain solver is almost not distracted by the (for the failure) irrelevant 
extra functors. Apparently, its control strategy is such that those extra functors 
are enumerated as the last ones, when the more constrained functors already 
received a correct assignment in the domain of the pre-interpretation. Also the 
failure analysis of the abductive solver ABCS turns out to be very accurate 
and the amount of backtracking is almost unaffected by the extra functors. The 
failure analysis of the abductive system AB includes those functors in conflict 
sets so that the backtracking becomes less accurate and more backtracks occur 
before a solution is found. This also holds for the model generators FINDER 
and FMCatinf- 

The abductive system AB is the only system solving all problems and is 
doing very well in terms of number of backtracks (apart from wicked_oe and 
BDD019-1). Its implementation is very straightforward (linear lists for clauses, 
abduced facts and tabled answers), so there is a lot of room for improving its 
speed. As a consequence it is often slower than the constraint systems. The 
latter, also implemented in Prolog, use more elaborate data structures. 

Both constraint systems FDCS and ABCS arc doing pretty well. Although 
they are also implemented in Prolog, they use more elaborate data structures 
and are often faster than AB, even when they need more backtracks. Their 
performance degrades when they have to backtrack frequently over their decision 
with respect to the subsumption of new answers (#Tbcktr). This is a major 
weakness. The more they have to backtrack over the subsumption decisions, the 
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more the size of their search space becomes close to that of the model generators 
FINDER and FMCatinf- A problem is that they have no control over the order 
of these choice points and cannot do better than chronological backtracking 
over all possibilities. This problem is prominent in blocksol where they have to 
search the whole space of interpretations of size 2 19 x 2 32 whereas AB searches in 
the space of pre-interpretations of size 2 19 . The poor performance in this problem 
is not a real drawback. The use of the model generator should be combined with 
the use of a theorem prover which should be able to find a plan for blocksol. 
We suspect this problem is at the basis of their failure on the nreverselast 
problem where the domain size is 5. A positive point is that answer lemmas can 
contain variables, in which case they cover several ground answers. This limits 
somewhat the number of different answer sets which have to be considered during 
the search. (FINDER needs much more backtracks on the blocksol problem.) 

Whereas our original results confirmed those of |^4j that FMCatinf most 
of the time outperforms FINDER, more fine tuning of the FINDER input re- 
versed the picture. Its implementation in C and its use of specialised data struc- 
tures pays of on the class of problems we consider. It is fast on all but the hard 
problems. In blocksol it is beaten by AB (over 4 million backtracks against 
3615 for AB) and it was stopped on nreverselast after 50 million backtracks. 
FINDER is pre-processing short clauses. Likely this eliminates a lot of candidate 
solutions (it solves multiseto without backtracking). FMCatinf, which has no 
such pre-processing, is unable to solve several problems, in particular the plan- 
ning problems with a list representation. The latter problems are those where the 
the reduction of search space by our approach (the space of pre-interpretations 
versus the space of interpretations — see last column in Table |l| — ) is largest. 

The advantage for our systems that they search the smaller space of pre- 
interpretations disappears on the TPTP problem B00019-1 and similar prob- 
lems. Hence the first order model generators do as well or better in terms of 
number of backtracks and, due to their fine tuned C implementations, outper- 
form our systems in speed. 

Conjunctive partial deduction can handle some of the problems which are 
difficult for us, but cannot handle any of the planning problems. Computing 
regular approximations is fast, but it can show failure of the most simple prob- 
lems only. The set based analyser is more precise and fails only on the planning 
problems, nreverselast and B00019-1. 



7 Conclusion 

For definite logic programs, we have addressed the problem of proving that cer- 
tain queries cannot succeed with an answer. A problem which is particularly 
relevant when the query does not fail finitely. We have developed two new ap- 
proaches which aim at searching a model of the program in which the query is 
false. We have performed some experiments using (rather small) example pro- 
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grams and queries which do not terminate^. We also did a comparison with other 
approaches which could be used to tackle this problem: general purpose model 
generation tools, the use of type inference, and the use of program specialisation. 
In the case of type inference, the approach is in fact also to compute a model. 
However, the chosen model is the one which best reflects the type structure 
of the program. If the query happens to be false in this model, then failure is 
shown. Also in the case of program specialisation, showing failure is a byproduct 
of the approach: for some queries, the program happens to be specialised into 
the empty program. 

Abduction is a very powerful and general problem solving technique. It was 
pretty easy to formulate the problem of searching a pre-interpretation such that 
the query is false in the least model based on it as an abductive problem and 



to use a general purpose abductive procedure) 16 . But we quickly realised that 
we had almost no control over the search for a solution. Our first approach 
was to built a special purpose abductive procedure for definite programs which 
employs tabulation and which hard wired the constraints that pre-interpretation 
of functors are total functions. The idea behind the proof procedure is to use a 
top-down evaluation strategy — abducing a part of the pre-interpretation only 
when needed in evaluating the query — and to prevent looping by the use of 
tabulation. Experiments confirmed our intuition that it was important to delay 
the abduction of new components in the pre-interpretation as long as possible 
(to propagate all consequences of what was already abduced to check whether 
it was part of a feasible solution) . After adding failure analysis to improve upon 
chronological backtracking as in systems as FMCatinf @ and FINDER (2?],^] , 
the system is doing quite well. It outperforms FMCatinf in speed and number 
of backtracks. Compared with FINDER, it typically needs much less backtracks, 
though it can only beat FINDER in speed for a couple of hard problems. 

We also explored a variant which treats the definition of the pre-interpretation 
as constraints. This allows to delay the decisions up to the point were answers 
had to be tabled: at such a point one needs to know whether the answer is new 
or not. Still we do not fix the pre-interpretation at such a point but formulate 
constraints on the pre-interpretation, using a solver to check the existence of a 
pre-interpretation satisfying all constraints. We experimented with a finite do- 
main solver and with an abductive solver. We obtained good results; however 
the systems start to slow down when a lot of backtracking over the decisions 
with respect to new answers being subsumed by the existing ones is needed. 
The number of possible backtracks quickly goes up with the arity of the pred- 
icates, as the example blocksol, where the query does not fail, illustrates. It 
also increases quickly with the size of the domain needed to show failure e.g. 
nreverselast. Unless one finds some heuristics to control the order of choice 
points, or some knowledge to do better than the chronological backtracking over 
these choice points, the abductive system seems more promising. 



4 These programs also loop when using tabulation or when executing bottom-up after 
a magic set transformation. 
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Our experiments indicate that our approach is a better basis for proving fail- 
ure of queries over definite programs than applying general purpose model gener- 
ators such as FINDER and FMCatinf- Searching the space of pre-interpretations 
for a pre-interpretation such that the query is false in the least model based on 
it requires on average much less backtracking than searching the larger space 
of interpretations. Searching in the smaller space of pre-interpretations has a 
cost: the query needs to be evaluated in the least model. Tabulation turned out 
to be a very effective approach which keeps the cost of the query evaluation 
at acceptable levels. (As the program abstracted under the pre-interpretation is 
a DATALOG program, also loop checking can ensure termination of the query 
evaluation. At some point we experimented with this and got a very large slow 
down as the number of derived clauses substantially increased.) 

Our approach is also more powerful than type inference based on Regular 
Approximations. Conjunctive Partial Deduction and Set Based Analysis turn 
out to be quite powerful on some classes of problems but cannot solve any of the 
planning problems. 

A limitation of our approach, but also of the model generators is that they 
cannot prove failure if the query is only false in a model based on an infinite 
domain. For example less (N,s(N)) <— and less (N,s(M)) <— less(N,M) and 
the query <— less(N,M),less(M,N). Also set based analysis and conjunctive 
partial deduction are unable to prove failure of this query. 

In a broader context, this paper makes contributions to the following topics: 

— A (first) study of methods to prove (infinite) failure of definite logic pro- 
grams. 

— The development of a proof procedure which combines tabulation with ab- 
duction and of a constraint based procedure which treats the abducibles as 
constraints and uses a constraint solver to check the existence of a solution 
for the abducibles. Also the latter procedure uses tabulation. 

— A better understanding of the power and limitations of abduction. While 
very expressive, our findings suggest that abductive procedures need to be 
augmented with "background" knowledge to direct the search for abductive 
solutions. Simply specifying the properties of an abductive solution as an 
integrity constraint cannot provide sufficient guidance to the search for a 
solution. It is interesting to observe that background knowledge is also often 
the key to success in Inductive Logic Programming which makes use of in- 
ductive procedures which are in more than one aspect "twins" of abductive 
procedures |Q. 

— The further development of model based program analysis.] 18) showed that 



model based program analysis implicitly introduced in |12] is also an ex- 
cellent method for type inference. In O] it was shown that there exist 
pre-interpretations which encode various other declarative properties of pro- 
grams. Our work takes this work one step further by developing methods for 
automatically constructing a pre-interpretation which expresses a particular 
program property (or integrity constraint) expressed as a query which should 
fail. 
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Appendix 

7.1 Prolog code of examples 

odd_even. Here and further on, the considered queries are the bodies of 0-arity 
predicates. 

even(zero) . 
even(s(X)) :- odd(X) . 
odd(s(X)) :- even(X) . 
odd_even :- even(X) , even(s(X)). 

wicked-oe. A version of odd_even with an extra superfluous argument which 
creates a term with 4 different functors. 

wicked_even(zero,U) :- wicked_p(U) . 

wicked_even(s (X) ,U) :- wicked_odd(X,_V) , wicked_p(U) . 
wicked_odd(s (X) ,U) :- wicked_even(X,_V) , wicked_p(U) . 
wicked_p(f (g(h(a)))). 

wicked_oe :- wicked_even(X, _U1) , wicked_even(s (X) , _U2) . 

appendlast. Appending [a] to a list cannot yield a list ending in a b. 
app( [] ,L,L) . 

app([H|X] ,Y, [H|Z]) :- app(X,Y,Z) . 
last([X] ,X) . 

last([H,H2|T] ,X) :- last ( [H2 I T] ,X) . 
appendlast:- app(X, [a], Xs) , last(Xs, b) . 

reverselast. If the accumulator is initialised with a list ending in a, then the 
result of the call to reverse cannot be a list ending in a b. 

last([X] ,X) . 

last([H,H2|T] ,X) :- last ( [H2 I T] ,X) . 
reva([], Acc, Acc) . 

reva([Y|Z], R, Acc):- reva(Z, R, [YlAcc]). 
reverselast:- reva(L, R, [a]), last(R, b) . 
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nreverselast. Reversing a list beginning with an a cannot result in a list ending 
in b. 

rev([], []). 

rev([X|Y], R) : - rev(Y, S) , app(S, [X], R) . 
app( [] ,L,L) . 

app([H|X] ,Y, [H|Z]) :- app(X,Y,Z). 
last([X] ,X) . 

last([H,H2|T] ,X) :- last ( [H2 I T] ,X) . 
nreverselast :- rev([a|X], R) , last(R, b) . 

schedule. There cannot be 2 c's in a list with all n's but the first element. 
mv(R):- tr(R,NewR), mv(NewR) . 

mv(R):- atleast2c (R) . 7, success iff R is non-safe state 

tr([c,n|Rs], [n,c|Rs]). 

tr([n|Rs], [nlNewRs]):- tr(Rs.NewRs) . 

tr( [],[]). 

cFirst ( [c | Qs] ) : - nOnly (Qs) . 
nOnly([n|Qs]) :- nOnly(Qs) . 
nDnly ( [n] ) . 

atleast2c( [c I L] ) : - atleastlc(L). 
atleast2c( [nlL] ) :- atleast2c(L). 
atleastlc ( [c I _] ) . 
atleastlc( [n|L] ) :- atleastlc (L). 
schedule:- cFirst(R), mv(R) . 

multiseto. A program to check that two multisets contain the same elements. 
The multiset is represented with a functor o/2 and a constant emptyMultiSet. 
This is more a specification than a program. It needs iterative deepening to find 
answers. 

sameMultiSet (X, X) . 

sameMultiSet(o(X, Y) , o(X, Z)) :- sameMultiSet(Y,Z) . 
sameMultiSet(o(o(X, Y) , Z) , U) :- sameMultiSet (o (X, o(Y, Z)), U) . 
sameMultiSet(U, o(o(X, Y) , Z)) :- sameMultiSet (U, o(X, o(Y, Z))). 
sameMultiSet (o (emptyMultiSet, X), Y) :- sameMultiSet (X, Y) . 
sameMultiSet (X, o (emptyMultiSet , Y)) :- sameMultiSet (X, Y) . 
sameMultiSet (o(X, Y) , Z) :- sameMultiSet (o(Y, X), Z) . 
multiseto :- sameMultiSet (o (a, o(a, emptyMultiSet)) , 

o(_X,o (emptyMultiSet, b))) . 

multisetl. The same problem as a normal Prolog program using lists. The query 
mil corresponds to the query ml. It does not terminate due to the presence of 
the variable. 
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sml([], []). 

sml([X|Y], D) :- delete (X, D, E), sml(Y, E) . 
delete (M, [M I T] , T) . 

delete(M, [H I T] , [H I L] ) :- delete(M, T, L) . 
multisetl :- sml([a], X), sml(X, [b] ) . 

blockpair2o. A number of planning problems based on a planner due to Michael 
Thielsher which operates on a multiset of resources. It has to be executed under 
iterative deepening to find plans for most problems (which have a solution). 

In the first problem, the argument collecting the plan — which is irrelevant 
for the existence of a solution — is omitted. The multisets are represented using 
a constant for the empty set and a binary operator. 

causesPair (II, 12):- sameMultiSet (II , 12). 

causesPair (I , G):- actionPair(C, E) , sameMultiSet (o(C, Z) , I), 

causesPair(o(E, Z) , G) . 
actionPair(ho(V) , o(ta(V) ,o(cl(V) ,em))) . 
actionPair(o(cl(V) , o (ta(V) , em) ) , ho(V)) . 
actionPair(oQio(V) ,cl(W)) , o (on(V,W) , o (cl (V) ,em))) . 
actionPair(o(cl(V) ,o(on(V,W) ,em)) , o(ho(V) ,cl(W))) . 
actionPair(o(on(V,W) ,o(cl(V) ,em)) , 

o(on(s(s(V)),s(V)), o(on(s(V),V), o(on(V,W), 

o(cl(s(s(V))),em))))). 
actionPair(o(on(s(s(V)) ,s(V)) , o(on(s(V) ,V) , o(on(V,W), 

o(cl(s(s(V))),em)))), 

o(on(V,W), o(cl(V) ,em))) . 
sameMultiSet (X, X) . 

sameMultiSet (o(X, Y) , o(X, Z)):- sameMultiSet (Y, Z) . 
sameMultiSet (o(o(X, Y) , Z) , U) : - sameMultiSet (o(X, o(Y, Z)), U) . 
sameMultiSet (U, o(o(X, Y) , Z)):- sameMultiSet (U, o(X, o(Y, Z))). 
sameMultiSet (o (emptyMultiSet , X), Y):- sameMultiSet (X, Y) . 
sameMultiSet (X, o (emptyMultiSet , Y)):- sameMultiSet (X, Y) . 
sameMultiSet (o(X, Y) , Z):- sameMultiSet (o (Y, X), Z) . 
blockpair2o : - 

causesPair(o(on(s(nul) ,nul) , o(ta(nul), o (cl (s (nul) ) , em) ) ) , 
o(on(s(s(nul)) ,s(nul)) , o (on(s (nul) ,nul) , o(ta(nul), 

o(cl(s(s(nul))),em))))). 

blockpairSo. Same problem but with the extra argument to collect the plan. 

causesPair (II , void, 12):- sameMultiSet (II , 12). 
causesPair (I , plan(A, P) , G):- actionPair(C, A, E) , 

sameMultiSet (o(C, Z) , I), causesPair (o(E, Z) , P, G) . 

actionPair(ho(V) ,put_down(V) ,o(ta(V) ,o(cl(V) ,em))) . 
actionPair(o(cl(V) ,o(ta(V) ,em)) ,pick_up(V) ,ho(V)) . 
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actionPair(o(ho(V) ,cl(W)) ,stack(V,W) ,o(on(V,W) ,o(cl(V) ,em))) . 
actionPair(o(cl(V) ,o(on(V,W) ,em)) ,unstack(V) , o (ho (V) , cl (W) ) ) . 
actionPair(o(on(V,W) ,o(cl(V) ,em)) ,add_two, 

o(on(s(s(V)) ,s(V)) , o(on(s(V) ,V) , 
o(on(V,W) , o(cl(s(s(V))) ,em))))) . 
actionPair(o(on(s(s(V)) ,s(V)) , o(on(s(V) ,V) , 
o(on(V,W), o(cl(s(s(V))) ,em)))) , 
delete_two , 

o(on(V,W) , o(cl(V) ,em))) . 
sameMultiSet (X, X) . 

sameMultiSet (o(X, Y) , o(X, Z)):- sameMultiSet(Y, Z) . 
sameMultiSet (o(o(X, Y) , Z) , U) : - sameMultiSet(o(X, o(Y, Z)), U) . 
sameMultiSet (U, o(o(X, Y) , Z)):- sameMultiSet (U, o(X, o(Y, Z))). 
sameMultiSet (o(emptyMultiSet, X), Y):- sameMultiSet (X, Y) . 
sameMultiSet (X, o (emptyMultiSet , Y)):- sameMultiSet (X, Y) . 
sameMultiSet (o(X, Y) , Z):- sameMultiSet (o (Y, X), Z) . 
blockpair3o : - 

causesPair(o(on(s(nul) ,nul) , o(ta(nul), o (cl (s (nul) ) , em) ) ) , 
_Plan, 

o(on(s(s(nul)) ,s(nul)) ,o(on(s(nul) ,nul) ,o(ta(nul) , 

o(cl(s(s(nul))),em))))). 

blockpair2l. The next planner represents resources as a list. No argument to 
collect the plan. 

causesPairld , I) . 

causesPairld ,G) :- actionPairl(C,E) , m_subset(C,I,Z) , app(E,Z,S), 

causesPairl(S,G) . 
actionPairl([ho(V)] , [ta(V) ,cl(V) ,em] ) . 
actionPairl([cl(V) ,ta(V) ,em] , [ho(V)]) . 
actionPairl([ho(V) ,cl(W)] , [on(V,W) , cl (V) , em] ) . 
actionPairl([cl(V) ,on(V,W) ,em] , [ho(V) ,cl(W)] ) . 
actionPairK [on(V,W) ,cl(V) ,em] , 

[on(s(s(V)) ,s(V)) ,on(s(V) ,V) ,on(V,W) ,cl(s(s(V))) ,em] ) . 
actionPairK [on(s(s(V)) ,s(V)) ,on(s(V) ,V) ,on(V,W) ,cl(s(s(V))) ,em] , 

[on(V,W) ,cl(V) ,em]) . 
m_subset( [] , L, L) . 

m_subset( [HIT] , LI, L2):- delete (H, LI, L3) , m_subset(T, L3, L2) . 
delete(M, [M I T] , T) . 

delete(M, [H I T] , [H I L] ) : - delete(M, T, L) . 
app([] , X, X) . 

app([X|Y], Z, [X|W]):- app(Y, Z, W) . 

blockpair21 :- 

causesPairl( [on(s(0) ,0) ,ta(0) ,cl(s(0)) ,em] , Sequence) , 
m_subset( [on(s(s(0)) ,s(0)) ,on(s(0) ,0) ,ta(0) , 

cl(s(s(0))) ,em] , Sequence, [] ) . 
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blockpairSl. With an extra argument to collect the plan. 
causesPairld , void, I) . 

causesPairld ,plan(A,P) ,G) :- actionPairl(C,A,E) , m_subset(C,I,Z) , 

app(E,Z,S), causesPairl(S,P,G) . 
actionPairK [ho(V)] ,put_down(V) , [ta(V) ,cl(V) ,em] ) . 
actionPairK [cl(V) ,ta(V) ,em] ,pick_up(V) , [ho(V)] ) . 
actionPairK [ho (V) ,cl(W)] ,stack(V,W) , [on(V,W) , cl(V) , em] ) . 
actionPairK [cl(V) ,on(V,W) , em] ,unstack(V) , [ho(V) ,cl(W)] ) . 
actionPairK [on(V,W) ,cl(V) ,em] ,add_two, 

[on(s(s(V)),s(V)) ,on(s(V) ,V) ,on(V,W) ,cl(s(s(V))) ,em] ) . 
actionPairK [on(s(s(V)) ,s(V)) ,on(s(V) ,V) ,on(V,W) ,cl(s(s(V))) ,em] , 

delete_two, [on(V,W) ,cl(V) ,em] ) . 
m_subset( [] , L, L) . 

m_subset( [HIT] , LI, L2):- delete(H, LI, L3) , m_subset(T, L3, L2) . 
delete(M, [M I T] , T) . 

delete(M, [H I T] , [H I L] ) : - delete(M, T, L) . 
app([] , X, X) . 

app([X|Y], Z, [X|W]):- app(Y, Z, W) . 
blockpairl : - 

causesPairl ( [on(s(nul) ,nul) ,ta(nul) ,cl(s(nul)) ,em] , 

_Plan, Sequence), 
m_subset( [on(s(s(nul)) ,s(nul)) ,on(s(nul) ,nul) , 

ta(nul) , cl (s (s (nul) ) ) ,em] , Sequence, [] ) . 

blocksol. Finally a case where there exists a solution. 

actionZeroK [ho(V)] , [ta(V) , cl(V), em]). 
actionZerol([cl(V) , ta(V),em], [ho(V)]). 
actionZeroK [ho(V) , cl(W)] , [on(V,W), cl(V), em]). 
actionZeroK [cl(V) , on(V, W) , em], [ho(V), cl(W)]). 
actionZerol( [on(X, Y) , cl(X), em], 

[on(s(X), X), on(X, Y) , cl (s (X) ) , em] ) . 
causesZerold , I). 

causesZeroKl , G) :- actionZeroKC, E) , m_subset (C, I , Z) , 

app(E, Z, S) , causesZeroKS, G) . 

m_subset([], L, L) . 

m_subset( [HIT] , LI, L2):- delete(H, LI, L3) , m_subset(T, L3, L2) . 
delete(M, [M I T] , T) . 

delete(M, [H I T] , [H I L] ) : - delete(M, T, L) . 
app([], X, X). 

app([X|Y], Z, [X|W]):- app(Y, Z, W) . 

blocksol :- causesZeroK [on(s(0) ,0) ,ta(0) ,cl(s(0)) ,em] , 

[on(s(s(0)),s(0)),on(s(0),0),ta(0),cl(s(s(0))),em]). 
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7.2 An example of input for FINDER 



FINDER supports only nulladic, monadic and dyadic functions. As predicates 
are declared as functions with boolean as value sort, these restrictions also apply 
to predicate definitions and forces some transformation for predicates with arity 
> 2: for example a ternary atom p(t\, ti, t3) is encoded as p(ti, arg p (t2, £3)) where 
arg p /2 is a binary functor used to encode atoms with predicate p/3 and which 
constructs a term in a sort different from the sort of the terms t\,t2, and £3 of 
the original atom. To have the same expressivity as the original p based on a 
2 element domain pre-interpretation, the prc-interprctation of arg p has to be 
based on a 4 element domain. 

Input for the multisetl problem. The ternary predicate delete/3 has been 
converted in a binary delete_was3/2 predicate. Besides the sort term for all 
terms of the original program, a sort pair has been introduced. The extra functor 
delete_argpair is used to bundle two terms of sort term into one of sort pair. 

sort { term cardinality = 2. 

pair cardinality = 4. 

} 

const {a: term. 

b: term, 
nil: term, 
mil: bool. 

} 

function { cons: term, term -> term. 

delete_argpair : term, term -> pair. 
delete_was3: term, pair -> bool. 
sml: term, term -> bool. 

} 

clause {mil -> false. 

sml(cons(a, nil), z) , sml(z, cons(b, nil)) -> mil. 
sml (nil , nil) . 

delete_was3(y , delete_argpair (w, z)), sml(x, z) 

-> sml(cons(y, x) , w) . 
delete_was3(z, delete_argpair(cons(z, y) , y)). 
delete_was3(w, delete_argpair (x, z)) 

-> delete_was3(w, delete_argpair(cons(y, x) , cons(y, z))). 

} 

setting {solutions: 1 

verbosity {models: brief stats: full job: brief 

} 
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